Method and system for detecting and remediating polymorphic attacks across an enterprise

ABSTRACT

Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a Continuation Patent Application of commonly ownedU.S. patent application Ser. No. 15/373,482, entitled: METHOD AND SYSTEMFOR DETECTING AND REMEDIATING POLYMORPHIC ATTACKS ACROSS AN ENTERPRISE,filed on Dec. 9, 2016, now, U.S. Pat. No. ______, which is related toand claims priority from commonly owned U.S. Provisional PatentApplication Ser. No. 62/264,890, entitled: Method and System forDetecting and Remediating Polymorphic Attacks Across an Enterprise,filed on Dec. 9, 2015, the disclosures of both of the aforementionedpatent applications are incorporated by reference in their entiretiesherein.

TECHNICAL FIELD

The present invention relates to methods and systems for detectingpotential malware.

BACKGROUND OF THE INVENTION

Malware is any software used to disrupt computer operations, gathersensitive information, or gain access to private assets residing incomputer systems. This can lead to the malware creator or otherunauthorized parties gaining access to the computer system and privateinformation stored on the computer system being compromised. Malwareincludes computer viruses, worms, trojan horses, spyware, adware, keyloggers, and other malicious programs. These programs can appear in theform of computerized code, scripts, and other software.

Polymorphic Attacks

Metamorphic and polymorphic malware are two categories of malicioussoftware programs (malware) that have the ability to change their form(morph) as they propagate. Metamorphic malware is rewritten with eachiteration so that each succeeding version of the code is different fromthe preceding one.

Polymorphic malware is harmful, destructive or intrusive computersoftware such as a virus, worm, Trojan or spyware that constantlychanges (“morphs”), making it difficult to detect with anti-malwareprograms. Evolution of the malicious code can occur in a variety of wayssuch as filename changes, compression, encryption with variable keys,and string changes, etc.

Although the appearance of the code in polymorphic malware varies witheach “mutation,” the essential function usually remains the same. Forexample, a spyware program intended to act as a keylogger will continueto perform that function even though its signature changes. If themalicious program is discovered by an anti-malware vendor and itssignature is added to a downloadable database, the anti-malware programwill fail to detect the rogue code after the signature has changed, justas if a new virus, worm, Trojan or spyware program has emerged. In thisway, malware creators gain an advantage over countermeasure developers

SUMMARY OF THE INVENTION

Embodiments of the invention are directed to a method for detectingpotential malware. The method comprises: obtaining an attack treerepresentative of an attack on a network, the attack tree formed ofobjects; analyzing the objects to determine whether each of the objectsis classified as known or unknown, in accordance with predefinedcriteria; and, representing the unknown objects in the attack tree asgeneralized, resulting in the creation of a generalized attack tree fromthe obtained attack tree.

Optionally, the objects include links and vertices.

Optionally, the links are determined to be known.

Optionally, an object is determined as unknown when: a) the object isunknown in accordance with predetermined criteria; or, b) the object isknown and malicious in accordance with predetermined criteria.

Optionally, the attack on the network occurs in at least one machinelinked to the network.

Optionally, the attack on the network occurs at an endpoint of thenetwork.

Embodiments of the invention are directed to a computer usablenon-transitory storage medium having a computer program embodied thereonfor causing a suitable programmed system to detect potential malware, byperforming the following steps when such program is executed on thesystem. The steps comprise: obtaining an attack tree representative ofan attack on a network, the attack tree formed of objects; analyzing theobjects to determine whether each of the objects is classified as knownor unknown, in accordance with predefined criteria; and, representingthe unknown objects in the attack tree as generalized, resulting in thecreation of a generalized attack tree from the obtained attack tree.

Optionally, the computer usable non-transitory storage medium is suchthat the objects include links and vertices.

Optionally, the computer usable non-transitory storage medium is suchthat the links are determined to be known.

Optionally, the computer usable non-transitory storage medium is suchthat an object is determined as unknown when: a) the object is unknownin accordance with predetermined criteria; or, b) the object is knownand malicious in accordance with predetermined criteria.

Embodiments of the invention are directed to a method for detectingpotential malware. The method comprises: a) obtaining a firstgeneralized attack tree; b) breaking the first generalized attack treeinto subtrees; c) obtaining at least one subtree associated with asubsequent generalized attack tree; d) comparing the subtrees from thefirst generalized attack tree to the subtrees associated with thesubsequent generalized attack tree, based on the generalized objects;and, e) creating an updated generalized attack tree from the subtreesfrom the first generalized attack tree and the subtrees associated withthe subsequent generalized attack tree. Optionally, the methodadditionally comprises: f) obtaining the subtrees associated withupdated generalized attack tree; g) comparing the subtrees associatedwith the updated generalized attack tree with subtrees associated with asubsequent generalized attack tree, based on the generalized objects;and, h) creating an updated generalized attack tree from the subtreesfrom the previously updated generalized attack tree and the subtreesassociated with the subsequent generalized attack tree.

This document references terms that are used consistently orinterchangeably herein. These terms, including variations thereof, areas follows.

A uniform resource locator (URL) is the unique address for a file, suchas a web site or a web page, that is accessible over Networks includingthe Internet.

A “computer” includes machines, computers and computing or computersystems (for example, physically separate locations or devices),servers, computer and computerized devices, processors, processingsystems, computing cores (for example, shared devices), and similarsystems, workstations, modules and combinations of the aforementioned.The aforementioned “computer” may be in various types, such as apersonal computer (e.g., laptop, desktop, tablet computer), or any typeof computing device, including mobile devices that can be readilytransported from one location to another location (e.g., smartphone,personal digital assistant (PDA), mobile telephone or cellulartelephone).

A server is typically a remote computer or remote computer system, orcomputer program therein, in accordance with the “computer” definedabove, that is accessible over a communications medium, such as acommunications network or other computer network, including theInternet. A “server” provides services to, or performs functions for,other computer programs (and their users), in the same or othercomputers. A server may also include a virtual machine, a software basedemulation of a computer.

A “client” is an application that runs on a computer, workstation or thelike and relies on a server to perform some of its operations orfunctionality.

“n” and “nth” refer to the last member of a varying or potentiallyinfinite series.

Unless otherwise defined herein, all technical and/or scientific termsused herein have the same meaning as commonly understood by one ofordinary skill in the art to which the invention pertains. Althoughmethods and materials similar or equivalent to those described hereinmay be used in the practice or testing of embodiments of the invention,exemplary methods and/or materials are described below. In case ofconflict, the patent specification, including definitions, will control.In addition, the materials, methods, and examples are illustrative onlyand are not intended to be necessarily limiting.

BRIEF DESCRIPTION OF THE DRAWINGS

Some embodiments of the present invention are herein described, by wayof example only, with reference to the accompanying drawings. Withspecific reference to the drawings in detail, it is stressed that theparticulars shown are by way of example and for purposes of illustrativediscussion of embodiments of the invention. In this regard, thedescription taken with the drawings makes apparent to those skilled inthe art how embodiments of the invention may be practiced.

Attention is now directed to the drawings, where like reference numeralsor characters indicate corresponding or like components. In thedrawings:

FIG. 1 is a diagram illustrating a system environment in which anembodiment of the invention is deployed;

FIG. 2 is a diagram of the architecture of an exemplary system embodyingthe invention;

FIG. 3 is a diagram of an example of a malicious attack in the form ofan attack tree;

FIGS. 4A and 4B area flow diagram illustrating a process to identifyobjects from an attack tree and determine whether to generalize them ina generalized tree (or graph), corresponding to the attack tree of FIG.3.

FIG. 5 is a generalized tree (graph), resulting from the process ofFIGS. 4A and 4B operating on the attack tree of FIG. 3;

FIG. 6 is a normalized tree (graph) based on the generalized tree(graph) of FIG. 5;

FIG. 7 shows an environment in which a process of the invention fordetecting malware and other malicious objects;

FIG. 8A is a flow diagram of a process performed by a machine in acentral location on the enterprise network of FIG. 7;

FIG. 8B is a process performed by a machine on the enterprise network ofFIG. 7 for the first attack tree to be processed by the machine of thecentral location;

FIG. 8C is a process performed by a machine on the enterprise networkfor a subsequent attack tree to be processed by the machine of thecentral location;

FIG. 9A is a diagram showing an attack tree and subtrees createdtherefrom;

FIG. 9B-1 is an illustration of subtree analysis, performed by theprocess of FIG. 8A; and,

FIG. 9B-2 is an illustration of an attack tree made by combining twoattack trees in accordance with the process of FIG. 8A.

DETAILED DESCRIPTION OF THE DRAWINGS

The present invention provides methods and systems for analyzing attacktrees or attack tree graphs, as created, for example in commonly ownedU.S. patent application Ser. Nos. 1) U.S. patent application Ser. No.14/963,267, entitled: Method and System for Modeling All Operations andExecutions of an Attack and Malicious Process Entry, filed on Dec. 9,2015, 2) U.S. patent application Ser. No. 14/963,265, entitled: Methodand System for Determining Initial Execution of an Attack, filed Dec. 9,2015, 3) U.S. Provisional Patent Application Ser. No. 62/264,881,entitled: Method and System for Identifying Potentially Malicious EventsDuring an Attack, filed on Dec. 9, 2015, and 4) U.S. patent applicationSer. No. 15/292,169, entitled: Method and System for IdentifyingUncorrelated Suspicious Events During an Attack, filed on Oct. 13, 2016,the disclosures of which are incorporated by reference in their entiretyherein. These attack trees graphically show attacks on endpoints ofnetworks, systems and the like, through a series of objects, such asvertices connected by links, the vertices and links themselves beingobjects.

As malware tends to be polymorphic, the methods and systems of thepresent invention treat the objects, for example, the vertices betweenlinks in the attack tree graph, to be indicative of malware, andclassified as “unknown”. Other objects in the attack tree graph remainclassified as “known”. These “unknown” objects are generalized, inaccordance with processes of the invention, and a generalized attacktree (attack tree graph) is created from the initial attack tree (attacktree graph), where these “unknown” objects have been generalized, andare represented as such in the generalized attack tree. By generalizingthese “unknown” objects, and creating the generalized attack treetherefrom, malware is accurately identified, allowing for highprobabilities of finding other instances of this same malware in otherattack trees.

Moreover, as malware is multistage, the generalized attack trees of thepresent invention, allow for the detection of malware, based onhistorical executions of the malware, from the first instance of itsexecution.

Upon the detection of an attack (i.e., malicious attack) on a usercomputer, such as, for example, an endpoint client, a graphical model ofthe attack can be generated by an agent installed on the user computer(or on an administrator computer linked to the user computer). In apreferred but non-limiting implementation, a virtual attack tree isgenerated as the graphical model representative of such an attack. Themethodology of the construction of such a tree based model is disclosedin the applicants' commonly owned U.S. patent application Ser. No.14/963,267, entitled: Method and System for Modeling All Operations andExecutions of an Attack and Malicious Process Entry, filed on Dec. 9,2015, the disclosure of which is incorporated by reference in itsentirety herein.

The above algorithm's output is in the form of a tree. The tree depictsthe execution (i.e., call) of the attack on the detected computer. Thevertices (nodes) of the tree represent the artifacts or objects (theterms artifacts, objects and nodes are used interchangeably herein, withvertices and links being types of artifacts, objects and nodes) createdand/or executed, either directly or indirectly, as well as any filescreated or accessed by any of the above mentioned processes, forexample, a Process, a file, a URL, and a Registry Key

The links between the vertices represent the actual action that was doneby/to the vertice (object or artifact) by its neighbor vertices (objector artifact), which include, for example:

File creations

File Writes

File Reads

File Deletes

File accesses

Http Get

Http Post

Kernel Object Created

Kernel Object Acquired

Process injected

Hook Installed

Hook Accessed

Registry Key created

Registry key changed

Registry key Read

Process direct execution

Process indirect execution As a result, the virtual attack tree depictsa model of the attack in a specific computer, including all theartifacts involved and how they affect the system.

Following the above discussed event analyzing algorithms together withthe nature of the data being constantly recorded, the amount ofinformation gained about the specific attack is at the same time muchmore accurate and noise free than any other conventional detectionsystem. Noise in this case means the benign or unrelated artifacts thatare not related to the attack, but do take part in it. Lack of noiseincreases the confidence of related artifacts and enables this detectionsystem to provide automatic remediation tools that do not require humaninteraction, without extra risk of damaging the system, when there aredeleting/reverting malware activities.

Typically, the user computer is linked to other computers over anetwork, such as, for example, the Internet, an Intranet, cellularnetworks, wide area, public, and local networks. Accordingly, by sharingthe knowledge gained from a specific attack on a specific computer withother computers on the network (i.e., elements of the enterprise or inthe wild) enables early detection, and remediation before the malwaremanages to perform malicious activity.

The sharing of the knowledge may be accomplished by uploading thenominated attack tree graph, as created by the process disclosed hereinto a central management console or server that is linked to the networkand is accessible by all computers on the network, or by directlytransmitting (or otherwise communicating) it to computers on thenetwork.

However, in contemporary attacks (the most common), many of theartifacts participating in the attack are polymorphic:

-   -   Artifact (or object) names (usually file names, file paths,        registry keys, global object names, like mutexes or pipes, URLs,        IP (internet Protocol) addresses) are randomized by the malware        authors. This means that they will be different in any other        instance of the attack.    -   Binary form: Calculating hashes of the binary is one of the most        common methods of malware detection. Malware is aware of this        and therefore modern malware will make sure that different        attack instances present different binary hashes        (md5/sha1/sha2/sha256).    -   Behavioral model: Malwares can change their behavior according        to the system in which they are they are acting in, the        installed software versions, the type of processor, etc., or        just change some of its behaviors in different instances to        avoid regular behavioral detection.

Accordingly, the present invention allows for the detection orprevention attacks in other systems, by looking for sequence of actionsand the relations between each other that look like the presentlyexisting normalized sequence of attacks.

In the context of this document, the term dataobject/object/artifact/node/vertice generally refers to files, registrykeys, network operations, file modifications, registry entries,injections, mutexes, pipes, hooks, and application arguments.

Before explaining at least one embodiment of the invention in detail, itis to be understood that the invention is not necessarily limited in itsapplication to the details of construction and the arrangement of thecomponents and/or methods set forth in the following description and/orillustrated in the drawings and/or the examples. The invention iscapable of other embodiments or of being practiced or carried out invarious ways.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct.

Accordingly, aspects of the present invention may take the form of anentirely hardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module” or “system.” Furthermore,aspects of the present invention may take the form of a computer programproduct embodied in one or more non-transitory computer readable(storage) medium(s) having computer readable program code embodiedthereon.

Throughout this document, references are made to trademarks, and domainnames. These trademarks and domain names are the property of theirrespective owners, and are referenced only for explanation purposesherein.

FIG. 1 shows an example environment in which embodiments of the presentdisclosure are performed over a network 110. The network 110 may beformed of one or more networks, including, for example, the Internet,cellular networks, wide area, public, and local networks. Theembodiments include a system 120′ (FIG. 2), including, for example, anagent 130, on an endpoint client, for example, a user computer 120(linked to the network 110). The agent 130 determines the initialexecution of an attack (i.e., malware attack) on the user computer 120.Based on this initial execution of an attack, the entry point of theattack can be determined (by the entry point determination module 138)and the attack can be modeled, for example, in the form of an attacktree, by the attack modeling module 139, as shown in FIG. 2.

In a non-limiting example, a malware host 140, also linked to thenetwork 110, creates a malicious file that when executed calls a processthat may be a malicious process or a benign process. The malicious fileis made available to the host server 150 by the malware host 140. Thehost server 150 is linked to the network 110 and represents numerousservers hosting, for example, web sites, accessible through web servers(not shown). The malicious file enters the user computer 120 via theaccess of the host server 150 by the user computer 120.

The agent 130 includes software, software routines, code, code segmentsand the like, embodied, for example, in computer components, modules andthe like, that are installed on machines, such as the user computer 120.For example, the agent 130 performs an action when a specified eventoccurs, as will be further detailed below. The agent 130 may beinstructed to perform such actions by an administrator 160. Theadministrator may be a computer separate from the user computer 120linked to the user computer 120 via a private network 170 such as anIntranet. Alternatively, the administrator 160 may be linked to the usercomputer 120 via the network 110.

FIG. 2 shows the user computer 120 and the system 120′ therein, as anarchitecture, with the agent 130 incorporated into the system 120′ ofthe user computer 120. The system 120′ is referred to as “the system” inthe descriptions of FIGS. 3-6 below. All components of the user computer120 and/or system 120′ are connected or linked to each other(electronically and/or data), either directly or indirectly.

Initially, the user computer 120 (and system 120′) includes a centralprocessing unit (CPU) 122, a storage/memory 124, and an operating system(OS) 126. The processors of the CPU 122 and the storage/memory 124,although shown as a single component for representative purposes, may bemultiple components.

The CPU 122 is formed of one or more processors, includingmicroprocessors, for performing the user computer 120 functions,including executing the functionalities and operations of the agent 130,as detailed herein, the OS 126, and including the processes shown anddescribed in the flow diagrams of FIGS. 4A and 4B. The processors are,for example, conventional processors, such as those used in servers,computers, and other computerized devices. For example, the processorsmay include x86 Processors from AMD and Intel, Xenon® and Pentium®processors from Intel, as well as any combinations thereof.

The storage/memory 124 is any conventional storage media. Thestorage/memory 124 stores machine executable instructions for executionby the CPU 122, to perform the processes of the present embodiments. Thestorage/memory 124 also includes machine executable instructionsassociated with the operation of the components, including the agent130, and all instructions for executing the processes of FIGS. 4A and4B, detailed herein.

The OS 126 includes any of the conventional computer operating systems,such as those available from Microsoft of Redmond Wash., commerciallyavailable as Windows® OS, such as Windows® XP, Windows® 7, MAC OS fromApple of Cupertino, Calif., or Linux.

Activity that occurs on the user computer 120 is sensed by a sensor orsensors 136. In particular, the sensors 136 are configured to sensechanges that occur on the user computer 120. Examples of activity sensedby the sensors 136 includes, but is not limited to file accesses,network accesses, application accesses, registry accesses, filecreations, file modifications, process injections, process calls andprocess creations. The activity sensed by the sensors 136 is written to(i.e., stored in) an activity log which can be maintained in astructured format, such as, for example, a database(s) 132, accessibleby the agent 130, entry point determination module 138 and attackmodeling module 139.

The database 132 may be installed with the system 120′, or may beprovided on a remote server, such as, for example, a cloud server 135(and remain part of the system 120′). Accordingly, the activity log(stored in the database 132) includes a listing of the executions andcreations of the processes, also known as “application processes”, anddata objects on the user computer 120. The activity log may beprogrammed or otherwise configured to retain the above mentionedinformation for blocks of time, for example, weeks, months and years.The activity log may also be programmed or otherwise configured tooverwrite information pertaining to older activity with informationpertaining to recent activity. As such, the activity log retainsinformation for a sliding window of time. Other database(s) 132 includethose associated with stacks, queues, and lists, e.g., file and URL/IPlists, respectively, and detailed below.

The agent 130 makes determinations regarding processes, also knownherein as “application processes”, executed on the user computer 120based on the reputations of the processes called, and by extension, thereputations of files that when accessed or opened result in theexecution of processes. The reputations of the above mentioned processesand files are provided to the agent 130 by a reputation service in theform of a reputation module 134. The reputation module 134 is typicallyprovided on a remote server, such as, for example, a cloud server 135,that is accessible by the agent 130. Alternatively, the reputationmodule 134 may be installed on the user computer 120 as part of ananti-malware software suite such as, for example, Microsoft® SecurityEssentials, Norton® anti-virus, and McAfee® anti-virus. Note that thereputation module 134 may also be installed as part of the agent 130.Accordingly, the agent 130 may be configured to perform processes (notshown) for classifying processes and files into the three abovementioned categories.

The reputation module 134 analyzes the files accessed and the processesexecuted on the user computer 120, either instantaneously or over aperiod of time. As a result, the reputation module 134, which may alsolink to a reputation service, is able to classify all applicationprocesses executed on the user computer 120 into three categories:malicious processes, unknown processes, and non-malicious processes(i.e., good processes). As an example, processes run from payloadapplications, for example, MS Word®, MS Excel®, are typically classifiedas non-malicious processes. The process called by the execution of theWindows® OS executable file sdbinst.exe is also an example of anon-malicious process.

The reputation module 134, regardless of its location, may also be partof the system 120′.

An entry point determination module 138 performs processes such as thoseshown in FIGS. 4A and 4B and detailed below, for determining the point(location) where the malicious or suspicious process entered theendpoint, for example, the user computer 120, system 120′, network(e.g., network node) or the like, and may be based on the initialexecution of the attack, e.g., the attack root of the malicious processor a suspicious process, the attack root described, for example, incommonly owned U.S. patent application Ser. No. 14/963,267, entitled:Method and System for Modeling All Operations and Executions of anAttack and Malicious Process Entry.

An attack modeling module 139 allows for an attack tree to be createdand plotted (diagrammed), based on, for example, the entry point of themalicious or suspicious process, at the requisite endpoint.

To better understand the operation of the components, including theagent 130 and all instructions for executing the processes of FIGS. 4Aand 4B, FIG. 3 shows a diagram of an example malicious attack 300 on anenterprise, which is detected and remediated by the system 120′ inaccordance with the invention.

In the example malicious attack, the OS 126 of the user computer 120 isa Windows® OS. The attack 300, illustrated in FIG. 3 depicts paths thatinclude creations of files and data objects (exemplified by broken linearrows), execution events in which a process (application process)executes (i.e., calls) another process (application process) andaccesses, such as, for example, downloads, uploads, data transfers, and,file transfers, and the like. Additional paths in alternative example ofattacks, including malicious attacks, may be depicted to show networkoperations, file modifications, registry entries, injections, mutexes,pipes, hooks, and application arguments.

In FIG. 3, the attack tree is formed of various artifacts (objects),some of which are benign processes, while other artifacts are installedby the attack itself. Initially, the computer user's browser is directedto the URL http://kat.ph. The executable process chewbaca.exe isdownloaded to the user's computer. The execution of the processchewbaca.exe causes the creation of the file random.exe and starts theprocess sdbinst.exe. The process sbdinst.exe is a Windows® process(Windows® is from Microsoft, Inc. of Redmond Wash., USA), and is, forexample a benign Windows® process.

Building Generalized Attack Trees

The process sbdinst.exe starts the process random.exe. The random.exeprocess executes, causing the URL http://clipconverter.cc to be renderedto the browser of the user computer, and creates two files: 1)fake_clip.mov, and, 2) wp.exe. The random.exe process also starts theprocess chrome.exe and wp.exe.

The now executing chrome.exe process causes the browser of the usercomputer to direct to the URL http://clipconverter.cc, where multiple adclips are rendered to the user's browser. With the process wp.exe nowexecuting, it creates the process duuwysyju32.exe. The wp.exe hascreated a service to execute the duuwysyju32.exe process.

The duuwysyju32.exe reads the file exfiltrate.txt and transfers data byexfiltration to a destination outside of the enterprise network, such asa destination along the world wide web (WWW).

FIGS. 4A and 4B are a flow diagram of a process used to evaluateattacks, for example, the attack 300 of FIG. 3. The process is in twophases, a first phase to determine whether to generalize a vertice, fromblocks 402-432, and a second phase of how to generalize each verticeselected for generalization from the first phase, at blocks 440-454.

The process begins at block 402, where an attack tree 300, such as thatof FIG. 3, is generalized (continuing through block 454), resulting in ageneralized attack tree or graph 300′, and, for example, normalized (anormalized attack tree or graph 300″), as shown in FIG. 6. At block 402,all objects of the attack tree (graph), for example, links and vertices,are placed into a queue (e.g., storage media), and these objects aresubsequently removed or “popped” from the queue, for example, one at atime, at block 404. The process moves to block 406, where it isdetermined whether the object is a link or vertice. A link isrepresented by an arrow between blocks or vertices. If a link, at block406, the link is kept as it is, and moved to the generalized tree beingbuilt, at block 408. This follows the assumption that in an attack tree,links are not polymorphic.

From block 408, the process moves to block 410, where the link is placedinto a generalized tree being built. From block 410, the process movesto block 412, where it is determined whether the queue is empty ofobjects. Should the queue be empty of objects, the process moves toblock 414, where the process ends, as a generalized attack tree has nowbeen built (is complete). Should the queue not be empty of objects, theprocess moves to block 404, from where it resumes, as the next object isremoved, or “popped” from the queue for analysis by the process of theinvention.

Returning to block 406, should the object be a vertice, the processmoves to block 420. At block 420, the object type is selected. Thisobject type includes a URL, a file, a process, a registry key, or otherobject (which is defined by the system and can change over time,including adding to or subtracting from a list of other objects). Fromblock 420, the process will move the block 430, depending on the variousobject types.

Each object type will be analyzed, resulting in a field score for eachtest/analysis, as performed in each block (or group of blocks whereindicated) of the 422, 424, 426 and 428 series of blocks. For example,the field score may be rendered as “known” or “unknown”, with criteriasuch that “known” means known and not malicious, with “unknown” meaningeither: 1) known and malicious, or 2) unknown. The criteria for “known”and “unknown” is, for example, set by the system or by a systemadministrator, programmed into the system, or the like. A field scorecan be for example, a binary “1” or “0. For example, a field score for atest/analysis which results in an item/object/artifact which is “known”,and may have a score of “1”, while a field score for a test/analysiswhich results in an item/object/artifact with is “unknown” may have ascore of “0”. Alternately, the binary scores of “1” and “0” can bereplaced with regular and/or weighted numeric scores. Also, not everyobject type has to be subjected to every analysis in the 422, 424, 426and 428 series, should that aspect of the object not be present, or thesystem is not programmed to perform that specific analysis.

Should the object be a URL, the process moves to blocks of the 422series. Should the object be a file or process (hereinafter, anapplication process), the process (the overall process) moves to blocksof the 424 series. Should the object be a Registry Key, the processmoves to blocks of the 426 series. Should the object be a an objectwhich is not a URL, File, Application Process, or Registry Key, butdefined within the system, the process moves to blocks of the 428series.

Turning to blocks of the 422 series, for a URL object, the domain isseparated from the URL, at block 422 a. Next, at block 422 b, the domainreputation is analyzed, to provide a field score. This is typically doneby using reputation systems that determined the commonality of thedomain. Should a domain not be known by reputation sources, this is astrong indicator of polymorphism (although it can be a new version of aknown object).

The process moves to block 422 c, where the company name is obtained.Moving to block 422 d, the company reputation, based on the companyname, is evaluated. For example, the company reputation is scored,typically by comparing the company name to predetermined reputationscores for companies in a database or the like. Also, the name of thecompany associated with the domain, for example, the company signing theobject is considered by comparing the object to those of a white list ofhigh reputation companies and their certificates. The company reputationis given a field score. Next, the process moves to block 422 e, where,for example, other evaluations, such as the type of web site, web pagesassociated with this domain, is evaluated, and given a field score. Forexample, if the type of the web site is news, weather, a store, it willbe acceptable, and for example, given a binary “1” or other high score.However, if the type of the web site is gambling, casinos,pharmaceuticals, pornography, it will probably result in an unacceptablescore (at block 430), for example, a binary “0” or other low score. Fromblock 422 e, the process moves to block 430.

At block 430, the object is found to be known or unknown, based on oneor more of its field scores, this sum of the field scores is combinedinto an overall knowledge score. This overall knowledge score, is, forexample, a binary 1, indicating the object is “known”, or a binary “0”indicating “unknown” and it is treated as a polymorphic object trying toavoid detection, meaning that the object is 1) known and malicious, or2) unknown. The overall score can also be cumulative, either of binarydigits or numeric, and in accordance with its position above or below athreshold, as determined by the system, system administrator or thelike, results in an overall object score for an object, which is “known”or “unknown”.

Returning to block 420, should the object be a file or applicationprocess, the overall process moves to blocks 424 a-424 h. Beginning atblock 424 a, the path name of the file/application process is separatedfrom the file/application process. Next, at block 424 b, the path fromblock 424 a is normalized. Normalizing is done by replacing parts of thepath that match windows environmental variables, with the variablesthemselves quoted. For example, the path a:\users\sally\downloads\file.txt, is replaced bya:\<HOMEPATH*>\downloads\file.txt, as <HOMEPATH*>has replacedusers\sally, normalizing the path (a:). The normalization of certain ofthese objects results in the attack tree 300″ of FIG. 6.

Moving to block 424 c, the file type, e.g., .doc, executable (.exe) orimage (.jpeg, .tiff), is determined At block 424 c, the file type isdetermined according to the file extension and the file content,including “magic bytes” and other calculations, assuming malware mayintentionally change the file extension to avoid detection or analysis.Should the file type be one known to carry malware or other threats, orsimply be an unknown type, the file will be considered to be unknown,and scored (field score) accordingly. Otherwise, the file will beconsidered to be known, and scored (field score) accordingly. Theprocess now moves to blocks 424 d, formed of blocks 424 d-1, when thefile type is a payload script, 424 d-2 a and 424 d-2 b when the file isa document or .doc, and 424 d-3, when the file is an executable, i.e., a.exe file, and 424 d-4, where the file type is not a payload script, adocument or .exe file. This other file at block 424 d-4 may be, forexample, a library file, a photograph, or other file type.

A payload script, at block 424 d-1 is a script which executes a payloadprocess. A payload process is a process or application which istypically benign, but can execute malicious activity. Some exemplarypayload script types include, for example, Java Script, Virtual Basic,and, Power Shell. This payload process script is analyzed and assigned afield score, typically based on criteria programmed into the system.

Turning to blocks 424 d-2(a and b), should the file be a document, i.e.,.doc, .docx, or the like, at block 424 d-2 a, the active content isanalyzed for a score, at block 424 d-2 b. The field score is assigned,for example, based on criteria programmed into the system 120′.

At block 424 d-3, the file is an executable, i.e., a .exe file, and isevaluated for a score. The field score is assigned, for example, basedon criteria programmed into the system.

At block 424 d-4, the file in one that is not a payload script, adocument or a .exe, but could be, for example, a library file, apicture, or another file. Depending on the score as programmed into thesystem, this other file type could be considered “known” or “unknown”.

From blocks 424 d-1, 424 d-2 b, 424 d-3 and 424 d-4, the process movesto block 424 e, where other tests/analysis are performed, to determine ascore. These tests/analysis, include, for example, java script, macros,and the like. The field score is assigned, for example, based oncriteria programmed into the system 120′.

Moving to block 424 f, the reputation of the file/application process isanalyzed. This is typically performed by a reputation service, whichindicates the commonality of the file/application process. If thefile/application process is common, it is probably going to be scored(field score) as “known”, while if the file is not common, it willprobably be scored (field score) as “unknown”. Also at block 424 f, thereputation of the company who created the file is evaluated. Should thecompany be known and have a good reputation, the score (field score)will be indicated as “known”, while if the company reputation is notwell known, the reputation will probably be scored (field score) as“unknown”.

The process moves to block 424 g, where the digital certificate of thefile is evaluated. Should the digital certificate be valid or active andsigned by a known entity, the score (field score) it is probably goingto “known”, while if the digital certificate is expired, and/or notsigned, and/or signed by an unknown entity, the digital certificate willprobably be scored (field score) as “unknown”.

The process then moves to block 424 h. Here, other tests/analysis areperformed on the object, to determine a score. These tests/analysis,include, for example, java script, macros, and the like. The field scoreis assigned, for example, based on criteria programmed into the system120′.

From block 424 g, the process moves to block 430, where the score basedon blocks 424 a-424 g is determined, as detailed for block 430 above.

Should the object be a process, the evaluation process for this processfollows the path of blocks 424 a-424 c, from block 420 to block 430, asdetailed for a file (when the file is the object at block 420) above.

Should the object be a registry key, the process moves from block 420,to block 426 a and 426 b. At block 426 a, the registry key type, e.g.,the default value of the key, and given a field score according tosystem criteria (e.g., as programmed into the system). At block 426 b,additional other calculations/analysis, such as, for example,determining the entity who can access the key, are performed.

At block 426 b, other calculations to determine a field score, such asone based on the key depth are performed. Key depth is analyzed, bylooking at keys, and subsequent sub keys, to determine the subkey depthwhere the subkey is no longer known, and accordingly, wheregeneralization begins. If the generalization, begins before a threshold(as programmed into the system), the registry key will probably bescored as “unknown”, while if the generalization begins after athreshold (as programmed into the system), the registry key willprobably be scored as “known”. This score is finalized at block 430.

Should the registry type be unknown, it is scored (field score)accordingly. Should the registry key type be known, it is scored (fieldscore) accordingly.

Returning to block 420, should the object be an object, which is not aURL, file, application process, or registry key, the object isclassified as “other”. The process moves to block 428, where a specificcalculation is made, as programmed into the system, to evaluate theother object. For example, should the object be a mutex, the name isevaluated. Should the name be known, the score (field score), at block428 will be indicative of “known”. Otherwise, should the name be knownand malicious, or unknown, the score, at block 428, will be indicativeof unknown. Also for example, should the object be a pipe, the port ortarget application associated therewith is evaluated, to determine thescore (field score), at block 428. As the system becomes aware of stillother objects, the system can be programmed to evaluate these otherobjects at block 428. The field scores at block 428 become the overallobject scores at block 430.

At block 430, with the scores assigned, both for each field and overall,for each type, the process moves to block 432, where the overall score,based on the relevant field scores, is correlated with the object beingknown or unknown. Should the overall score be indicative of the objectbeing known, the process moves to block 410, where the object (i.e.,vertice) is pushed to the generalized tree being built, with the objectadded to the generalized tree being built at block 410. The process thenresumes from block 410, as detailed herein.

Returning to block 432, should the overall score be indicative asunknown, the process moves to block 440. With the object now consideredto be unknown, it is treated as a polymorphic object trying to avoiddetection, for example, as mentioned above. The object is generalized insuch a way that it is accurately represented though lowering the inheritrisk of making damage by over-generalization.

At block 440, the object type is again identified. The process moves toblock 450, where for each identified object type, constant parts orcharacteristics are separated from random parts or characteristics.

The process then moves to block 452, where random parts are generated,so as to be generalized. When one or more features for each object typeare generalized, they are, for example, generalized to a regularexpression. A regular expression is a sequence of characters that definea string pattern.

For each object type, there is provided a list of features which can begeneralized. This list may be continuously updated by systemadministrators, and the like, and is exemplary. For example, withobjects that are URLs, the parts can be generalized include, forexample, the domain, the path, the type (html/php/js) and parameters.For example, for files, features which can be generalized, include, forexample, the file path, the file name, the hash, the size, the type, theassociated digital signature (including, company, issuer and date thecertificate is valid), and the reputation of the file. For example, foran object which is a process, the features detailed above for the fileare used. For example, for a registry key object, features which can begeneralized include, the main key, sub key chains, the last sub key andthe value name and a value. When the last sub key and the value name aregeneralized, they are generalized to a regular expression.

Also, for example, a URL of znet.com/home/0731 could be generalized byseparating the suffix/home/0731 from the prefix znet.com.

The process then moves to block 454, where the random parts in therespective objects are replaced with generalized objects, e.g., regularexpressions, and the object is replaced in the attack tree. For example,objects in the attack tree which have at least some verticesgeneralized, are represented with question marks “?” in the generalizedattack tree 300′ of FIG. 5. The “?” indicates all of the objects thatwere found to be polymorphic, for example, scored by an overall score as“unknown”, from the example attack tree 300 depicted in FIG. 3. Fromblock 454, the process moves to block 410, from where it resumes, asdetailed above. The generalized attack tree 300′ of FIG. 5 is nowcomplete.

FIG. 6 depicts the results of the randomization as would be applied tothe example attack shown in FIG. 3. In the example attack, there is anunknown executable norm_folder_1\genExe_1.exe(malware_analisys_viewer.exe), located, which was downloaded fromGenURL_1 in the Internet, creating norm_folder_1\gen_Exe_1.exe(random.exe), executing known windows process SdbInst.exe, whichnorm_folder_1\gen_exe_1.exe, that writes two random files innorm_folder_2/gen_SWF_folder_1 andnorm_folder_2Vgen_EXE_3(fake_clip.mov), andnorm_folder_3\gen_Random_EXE_4.exe.

In this case, the unknown nodes are left as open to be resolved in thenew system, and the known nodes and links in order to understand that:

-   -   The machine in question is or is not infected, according to the        quantified similarity that can be found in it compared to the        original graph (attack tree);    -   In case the machine is not infected yet, how close it is to        being infected, or, in other words, what is the risk level of        the machine in question according to how many parts of the        attack tree it has in it compared to the original graph. This        way attacks are identified in their latent stages, and this        knowledge is usable for remediation later on; and,    -   Since the generalized attack tree is taken to be a strong        indicator for a specific infection, the type of infection can be        determined, and more artifacts are added to the original attack        tree.

Method for Augmenting Attacks and Finding Attack Portions on OtherMachines

Attention is now directed to FIGS. 7, 8A, 8B, 8C, 9A, 9B-1 and 9B-2,where there are provided methods for identifying attacks and maliciousactivity. These methods work on the knowledge of malware, for example,changing its behavior in different systems. Although the behavior of themalware changes, a part of the attack by the malware is always present,allowing the system of the invention, in the server 702, to detect anattack.

The system detects the malicious activity of the attack by looking atvarious attacks, for example, graphed as attack trees and subtrees (asmaller portion of the attack tree, but large enough to not have falsepositives), as disclosed above. The process of detecting maliciousactivity is a cumulative process, where newly detected maliciousactivity, from another attack tree or subtree thereof, is added to theoriginal or present generalized attack tree, continuously augmenting thegeneralized attack tree with new subtrees to identify attacks and detectlocations thereof in which malicious activity is likely to be present.

FIG. 7 shows an example environment, on which the process of theinvention is performed. A network 700, for example, an enterprisenetwork or a public network such as the Internet, is linked to a centrallocation, such as a server 702, representative of one or more servers,machines, computers, and the like. The server 702 is similar to thesystem 120′ detailed above, as it is formed of processors 702 a (forexample, arranged as part of a central processing unit (CPU) (similar tothat detailed above for the system 120′) with storage/memory 702 b(similar to that detailed above for the system 120′) for providingmachine readable instructions for the processor, including instructionsfor performing the computerized processes of FIGS. 8A, 8B and 8C,detailed below. The server 702 also includes storage media, for example,tree storage 702 c, for storing attack trees, subtrees and portionsthereof, and the aforementioned stored instructions include instructionsfor processes for generating subtrees from attack trees, as well asprocesses for locating, comparing and analyzing attack trees, subtrees,and portions thereof. This server 702, or servers, also serves as acentral location for receiving attack trees and subtrees, for example,as uploaded, from the computers/nodes 704 a-704 n (which are similar tothe system 120′ detailed above), and includes or is associated withstorage media for storing the received attack trees and subtrees as wellas the attack trees and the cumulative updates of these attack trees, asmore malicious activity is determined and found.

Also linked to the network 700 are computers 704 a-704 n, which are, forexample, client computers, representative of users on the network 700.These computers 704 a-704 n are also referred to as “nodes” and arerepresented generally as node X. The computers 704 a-704 n can calculateand generate attack trees and generalized attack trees, as detailedabove, as they include systems similar to the system 120′ detailedabove. “Linked” as used herein includes both wired or wireless links,either direct or indirect, and placing the computers, including,servers, components and the like, in electronic and/or datacommunications with each other.

The process operates, for example, that once given a malicious verticeis identified in an attack tree, as detailed above, it can be determinedthat the entire attack tree is malicious, and the machine is infected.This is because in the generalized attack tree, e.g., tree 300′, made byprocesses of the invention as detailed above, there are specificvertices, which are malicious.

FIGS. 8A, 8B and 8C show processes performed in order to detectmalicious activity by updating attack trees cumulatively. The processesof FIGS. 8A, 8B and 8C, are, for example, performed contemporaneously,automatically and in real time.

Turning to FIG. 8A, there is shown a flow diagram of a process performedto handle received attach trees and augment the present tree tocontinuously update the attack tree so as be able to identify allpresently known malicious vertices. At block 802, a first or initialgeneralized attack tree (Tx_(i)), similar to generalized attack tree300′, calculated and produced in accordance with the process detailedabove, and shown as an example in FIG. 9A (Tree 900), is received at thecentral location, e.g., server 702, from a node, e.g., computer 704a-704 n (for example, computer/node B 704 b, serving as computer/node Xfor this explanation only.) This generalized attack tree (Tx_(i)) istypically received via an upload from the client computer 704 a-704 n(e.g., computer B 704 b). This generalized attack tree (Tx_(i)) isstored in storage media associated with the server 702.

The generalized attack tree (Tx_(i)) is formed, as detailed above, andsummarized in FIG. 8B. The process of FIG. 8B, for explanation purposesonly, is performed in computer/node B 704 b, serving as computer/node X.Initially, at block 821 a trigger, for example, external or internal tothe system, the trigger such as Check Point Anti-Bot (From Check PointSoftware Technologies Ltd.) detected communication to a malicious site,or a subtree representing a known malware, occurs. This triggerinitiates the creation of the attack tree, that is calculated by thecomputer/node 704 a-704 n, as detailed in blocks 402-454. The attacktree is produced by the computer/node 704 a-704 n, at block 823 (as perblocks 402-454, detailed above). The now generalized attack tree isuploaded from the computer/node (X) 704 a-704 n, that calculated andproduced it, to the central location (e.g., server 702), at block 824,where it is received (in the server 702) at block 802.

The process moves to block 804, where the received generalized attacktree (Tx_(i)) is divided into subtrees. This is shown for example inFIG. 9A, where the attack tree (Tx_(i)) 900, is divided into subtrees oflinks and vertices broken into subtrees 950, 960, 970. The subtrees 950,960, 970 are the minimal units which will allow for the detection ofmalicious behavior without false positives.

The process moves to block 806, where the system of the central locationserver 702 responds to polls of other machines, for example, one or moreof computers 704 a-704 n, of the network 700, which have new attacktrees or subtrees. The system of the server 702 then analyzes whetherthere are attack trees and/or subtrees or parts of the subtrees exist inthe trees of the polling machine(s), at block 808. If no, the processmoves to block 810 a, where a new attack tree (the tree which wasdivided into subtrees) is created. This newly created attack tree ismoved (pushed) to a central location (for storage associated therewith),at block 810 b, and the process moves to block 814.

Returning to block 808, if subtrees or parts thereof exist and matchthose corresponding subtrees or parts thereof from the polling machine(e.g., computer 704 a-704 n), the process moves to block 812 a. At block812 a, as a prerequisite a subsequent attack tree which corresponds tothe subtrees or pars that match the subtrees at block 808 is obtained bythe process of FIG. 8C.

The process of FIG. 8C, for explanation purposes only, is performed incomputer/node C 704 c, serving as computer/node X. The machine (e.g.,computer/node 704 a-704 n) which has the subtrees or parts thereof pollsthe central location 702, at block 830. This poll is received andresponded to at block 806. It is then determined, at block 834, whetheran attack tree or subtree, or parts therof, is found in the machine(e.g., 704 a-704 n) polling the central location 702. If no, at block832, the process moves to block 834, where it ends. If yes, at block832, the process moves to block 836, where, the full attack tree orsubtree is calculated and built, on the polling computer/node 704 a-704n. The calculated attack tree or subtree is then uploaded to the centrallocation, from the computer/node 704 a-704 n, at block 838. The processresumes from block 812 a.

At block 812 a, the attack tree from the polling machine is now receivedat the central location 702, where it is added to the initial (Tx_(i))or stored (T) attack tree to create an updated or augmented attack tree(T). For example, as shown in FIG. 9B-1 a subtree 970 is shown. At block808, it was found that subtree 970 of attack tree 900, matched portionsof subtree 1000 from the polling machine. Attack tree 1002, shown inFIG. 9B-2, was built at block 836, from the subtree 1000. Attack tree1002 differs from attack tree 900 in that it adds generalized block 934,with the added attack trees 900 and 1002, resulting in attack tree (T)1004, of FIG. 9B-2. This updated or augmented attack tree (T), e.g.,attack tree 1004, is moved (pushed) to the central location 702, atblock 812 b, and the process moves to block 814.

At block 814, the central location 702 stores and includes stored attacktrees (T), as well as these attack trees broken into subtrees and otherportions. Using the stored attack tree (T), the process moves to block806 from where it repeats as detailed above. The processes of FIGS.8A-8C may operate for as long as is necessary.

Method For Creating Automatic Remediation Tools

The normalized attack tree will allow for the finding of other infectedsystems in the network that have not yet been detected, as the attack isin its early or latent stages, as well as different instances ofversions of the same attack.

This knowledge allows for the creation and development of remediationtools for specific attacks that do not compromise the legitimate systemand user data.

Two types of remediation tools are created:

-   -   1. For target machines that contain software, for example, a        recording agent, such as the agent and sensors disclosed in        commonly owned U.S. patent application Ser. No. 14/963,265,        entitled: Method and System for Determining Initial Execution of        an Attack.    -   Search for the exact generalized attack tree, (including        vertices and links) or part of it, following a predefined        algorithm that determines the minimal parts required to        understand that the machine is infected and needs to be        remediated, without compromising the legitimate system and user        data, and without false positives risk.    -   Having identified the infected machine, the attack tree is again        denormalized, replacing the generalized data with specific        artifacts on the machine.    -   Denormalized list of vertices are listed and resolved according        to their type:    -   Keep the non-malicious (known good) parts of the attack        untouched, without risking of causing damage to the system.    -   Specific cleanup of all system from all the malicious artifacts        installed in it by the attack, for example,    -   Stop malicious process from running    -   Delete/quarantine malicious file    -   Revert changes to the registry    -   Remove kernel objects created by the attack    -   The normalized tree will be uploaded to central management        tools.    -   The remediation actions to make will be distributed across the        machines in the network using our centralized management        distribution tools.    -   The remediation software already existing in each end point        machine will take care of the actual execution.

2. For target machines that do contain software, for example, arecording agent, such as the agent and sensors, as disclosed in commonlyowned U.S. patent application Ser. No. 14/963,265, entitled: Method andSystem for Determining Initial Execution of an Attack. In this case, thelinks in the graph cannot be searched and historical data is notpresent.

The accuracy and false positive risk will be lower than in the previouscase.

A generalized list of all the normalized and not-normalized (known)vertices in the tree is created.

An automatic script that can be run by external script executing tools(powershell, command line, etc.) that contains the relevant remediationaction for the every node based on its type, is created as follows:

Process: Attempt to kill it and delete the file. If killing fails, markthe process file for deletion on next reboot, and trigger a reboot atthe end of the remediation script

Files or other objects: Try to delete the file. If deletion fails, markthe file for deletion on next reboot, and trigger a reboot at the end ofthe remediation script

Registry keys: If the registry key or value is completely owned by themalware (it didn't exist before and is not used by other application),delete it. Otherwise check if we have enough constant information torevert to the original value. If not, do not take any further action.

Implementation of the method and/or system of embodiments of theinvention can involve performing or completing selected tasks manually,automatically, or a combination thereof. Moreover, according to actualinstrumentation and equipment of embodiments of the method and/or systemof the invention, several selected tasks could be implemented byhardware, by software or by firmware or by a combination thereof usingan operating system.

For example, hardware for performing selected tasks according toembodiments of the invention could be implemented as a chip or acircuit. As software, selected tasks according to embodiments of theinvention could be implemented as a plurality of software instructionsbeing executed by a computer using any suitable operating system. In anexemplary embodiment of the invention, one or more tasks according toexemplary embodiments of method and/or system as described herein areperformed by a data processor, such as a computing platform forexecuting a plurality of instructions. Optionally, the data processorincludes a volatile memory for storing instructions and/or data and/or anon-volatile storage, for example, non-transitory storage media such asa magnetic hard-disk and/or removable media, for storing instructionsand/or data. Optionally, a network connection is provided as well. Adisplay and/or a user input device such as a keyboard or mouse areoptionally provided as well.

For example, any combination of one or more non-transitory computerreadable (storage) medium(s) may be utilized in accordance with theabove-listed embodiments of the present invention. The non-transitorycomputer readable (storage) medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

As will be understood with reference to the paragraphs and thereferenced drawings, provided above, various embodiments ofcomputer-implemented methods are provided herein, some of which can beperformed by various embodiments of apparatuses and systems describedherein and some of which can be performed according to instructionsstored in non-transitory computer-readable storage media. describedherein. Still, some embodiments of computer-implemented methods providedherein can be performed by other apparatuses or systems and can beperformed according to instructions stored in computer-readable storagemedia other than that described herein, as will become apparent to thosehaving skill in the art with reference to the embodiments describedherein. Any reference to systems and computer-readable storage mediawith respect to the following computer-implemented methods is providedfor explanatory purposes, and is not intended to limit any of suchsystems and any of such non-transitory computer-readable storage mediawith regard to embodiments of computer-implemented methods describedabove. Likewise, any reference to the following computer-implementedmethods with respect to systems and computer-readable storage media isprovided for explanatory purposes, and is not intended to limit any ofsuch computer-implemented methods disclosed herein.

The flowcharts and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

As used herein, the singular form “a”, “an” and “the” include pluralreferences unless the context clearly dictates otherwise.

The word “exemplary” is used herein to mean “serving as an example,instance or illustration”. Any embodiment described as “exemplary” isnot necessarily to be construed as preferred or advantageous over otherembodiments and/or to exclude the incorporation of features from otherembodiments.

It is appreciated that certain features of the invention, which are, forclarity, described in the context of separate embodiments, may also beprovided in combination in a single embodiment. Conversely, variousfeatures of the invention, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or inany suitable subcombination or as suitable in any other describedembodiment of the invention. Certain features described in the contextof various embodiments are not to be considered essential features ofthose embodiments, unless the embodiment is inoperative without thoseelements.

The above-described processes including portions thereof can beperformed by software, hardware and combinations thereof. Theseprocesses and portions thereof can be performed by computers,computer-type devices, workstations, processors, micro-processors, otherelectronic searching tools and memory and other non-transitorystorage-type devices associated therewith. The processes and portionsthereof can also be embodied in programmable non-transitory storagemedia, for example, compact discs (CDs) or other discs includingmagnetic, optical, etc., readable by a machine or the like, or othercomputer usable storage media, including magnetic, optical, orsemiconductor storage, or other source of electronic signals.

The processes (methods) and systems, including components thereof,herein have been described with exemplary reference to specific hardwareand software. The processes (methods) have been described as exemplary,whereby specific steps and their order can be omitted and/or changed bypersons of ordinary skill in the art to reduce these embodiments topractice without undue experimentation. The processes (methods) andsystems have been described in a manner sufficient to enable persons ofordinary skill in the art to readily adapt other hardware and softwareas may be needed to reduce any of the embodiments to practice withoutundue experimentation and using conventional techniques.

While embodiments of the disclosed subject matter have been described,so as to enable one of skill in the art to practice the presentdisclosed subject matter, the preceding description is intended to beexemplary only. It should not be used to limit the scope of thedisclosed subject matter, which should be determined by reference to thefollowing claims.

1. A method for detecting potential malware comprising: a) 1) obtainingan attack tree representative of an attack on a network, the attack treeformed of objects; 2) analyzing the objects to determine whether each ofthe objects is classified as known or unknown, in accordance withpredefined criteria; and, 3) representing the unknown objects in theattack tree as generalized objects, resulting in the creation of ageneralized attack tree from the obtained attack tree; b) dividing thefirst generalized attack tree into subtrees including first generalizedobjects; c) obtaining at least one subtree including second generalizedobjects associated with a subsequent generalized attack tree includinggeneralized objects; d) comparing at least one of the subtrees from thefirst generalized attack tree to the at least one subtree associatedwith the subsequent generalized attack tree, based on at least partialmatches of the first and second generalized objects; and, e) augmentingthe first generalized attack tree based on the at least one subtreeassociated with the subsequent generalized attack tree.
 2. The method ofclaim 1, wherein the objects include links and vertices.
 3. The methodof claim 2, wherein the links are determined to be known.
 4. The methodof claim 2, wherein each of the vertices is determined to be known,unless the object type of the vertice is determined as unknown when: a)the object type is unknown in accordance with a score; or, b) the objecttype is known and malicious in accordance with a score.
 5. The method ofclaim 4, wherein the object type includes at least one of: a uniformresource locator (URL), a file, a process, or a registry key.
 6. Themethod of claim 2, wherein the least partial matches includes matchingless than all of the first generalized objects with the secondgeneralized objects.
 7. The method of claim 2, wherein the least partialmatches includes matching all of the first generalized objects with thesecond generalized objects.
 8. The method of claim 4, wherein the scoreincludes at least one of: a field score, a numeric score, and an overallscore based on the sum of: 1) field scores, and, 2) numeric scores. 9.The method of claim 1, wherein the attack on the network occurs in atleast one machine linked to the network.
 10. The method of claim 1,wherein the attack on the network occurs at an endpoint of the network.11. The method of claim 6, wherein the augmenting the first generalizedattack tree based on the at least one subtree associated with thesubsequent generalized attack tree includes adding the secondgeneralized objects which do not match the first generalized objects tothe first generalized attack tree.